From eb3e28fa18a882982c6aaee9ac7a0090e746735d Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Fri, 10 Sep 2021 20:00:01 -0700 Subject: [PATCH] apr: Security fix for CVE-2021-35940 Source: https://dist.apache.org MR: 112793 Type: Security Fix Disposition: Backport from https://dist.apache.org/repos/dist/release/apr/patches/apr-1.7.0-CVE-2021-35940.patch ChangeID: c8247210204ffcc7d1425e3d60f077ad3dd54ebc Description: An out-of-bounds array read in the apr_time_exp*() functions was fixed in the Apache Portable Runtime 1.6.3 release (CVE-2017-12613). The fix for this issue was not carried forward to the APR 1.7.x branch, and hence version 1.7.0 regressed compared to 1.6.3 and is vulnerable to the same issue. (From OE-Core rev: 315262830bfe2bc8b2a9259541bb3a0bc83a2cdd) Signed-off-by: Armin Kuster Signed-off-by: Steve Sakoman Signed-off-by: Richard Purdie --- .../apr/apr/CVE-2021-35940.patch | 58 +++++++++++++++++++ meta/recipes-support/apr/apr_1.7.0.bb | 1 + 2 files changed, 59 insertions(+) create mode 100644 meta/recipes-support/apr/apr/CVE-2021-35940.patch diff --git a/meta/recipes-support/apr/apr/CVE-2021-35940.patch b/meta/recipes-support/apr/apr/CVE-2021-35940.patch new file mode 100644 index 0000000000..00befdacee --- /dev/null +++ b/meta/recipes-support/apr/apr/CVE-2021-35940.patch @@ -0,0 +1,58 @@ + +SECURITY: CVE-2021-35940 (cve.mitre.org) + +Restore fix for CVE-2017-12613 which was missing in 1.7.x branch, though +was addressed in 1.6.x in 1.6.3 and later via r1807976. + +The fix was merged back to 1.7.x in r1891198. + +Since this was a regression in 1.7.0, a new CVE name has been assigned +to track this, CVE-2021-35940. + +Thanks to Iveta Cesalova for reporting this issue. + +https://svn.apache.org/viewvc?view=revision&revision=1891198 + +Upstream-Status: Backport +CVE: CVE-2021-35940 +Signed-off-by: Armin Kuster + + +Index: time/unix/time.c +=================================================================== +--- a/time/unix/time.c (revision 1891197) ++++ b/time/unix/time.c (revision 1891198) +@@ -142,6 +142,9 @@ + static const int dayoffset[12] = + {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275}; + ++ if (xt->tm_mon < 0 || xt->tm_mon >= 12) ++ return APR_EBADDATE; ++ + /* shift new year to 1st March in order to make leap year calc easy */ + + if (xt->tm_mon < 2) +Index: time/win32/time.c +=================================================================== +--- a/time/win32/time.c (revision 1891197) ++++ b/time/win32/time.c (revision 1891198) +@@ -54,6 +54,9 @@ + static const int dayoffset[12] = + {0, 31, 59, 90, 120, 151, 181, 212, 243, 273, 304, 334}; + ++ if (tm->wMonth < 1 || tm->wMonth > 12) ++ return APR_EBADDATE; ++ + /* Note; the caller is responsible for filling in detailed tm_usec, + * tm_gmtoff and tm_isdst data when applicable. + */ +@@ -228,6 +231,9 @@ + static const int dayoffset[12] = + {306, 337, 0, 31, 61, 92, 122, 153, 184, 214, 245, 275}; + ++ if (xt->tm_mon < 0 || xt->tm_mon >= 12) ++ return APR_EBADDATE; ++ + /* shift new year to 1st March in order to make leap year calc easy */ + + if (xt->tm_mon < 2) diff --git a/meta/recipes-support/apr/apr_1.7.0.bb b/meta/recipes-support/apr/apr_1.7.0.bb index 432fa3255c..92cc61a864 100644 --- a/meta/recipes-support/apr/apr_1.7.0.bb +++ b/meta/recipes-support/apr/apr_1.7.0.bb @@ -23,6 +23,7 @@ SRC_URI = "${APACHE_MIRROR}/apr/${BPN}-${PV}.tar.bz2 \ file://0007-explicitly-link-libapr-against-phtread-to-make-gold-.patch \ file://libtoolize_check.patch \ file://0001-Add-option-to-disable-timed-dependant-tests.patch \ + file://CVE-2021-35940.patch \ " SRC_URI[md5sum] = "7a14a83d664e87599ea25ff4432e48a7"